Researchers have uncovered a malware-based espionage campaign that subjects Mac users to the same techniques that have been used for years to surreptitiously siphon confidential data out of Windows machines.

The recently discovered campaign targets Mac-using employees of several pro-Tibetan non-governmental organizations, and employs attacks exploiting already patched vulnerabilities in Microsoft Office and Oracle's Java framework, Jaime Blasco, a security researcher with AlienVault, told Ars. Over the past two weeks, he has identified two separate backdoor trojans that get installed when users open booby-trapped Word documents or website links included in e-mails sent to them. Once installed, the trojans send the computer, user, and domain name associated with the Mac to a server under the control of the attackers and then await further instructions.

"This particular backdoor has a lot of functionalities," he said of the most recent trojan he found. Victims, he said, "won't see almost anything."

Blasco's findings, which are documented in blog posts here and here, are among the first to show that Macs are being subjected to the same types of advanced persistent threats (APTs) that have plagued Windows users for years—not that the shift is particularly unexpected. As companies such as Google increasingly adopt Macs to limit their exposure to Windows-dependent exploits, it was inevitable that the spooks conducting espionage on them would make the switch, too.

"What [attackers] have been installing via APT-style, targeted attack campaigns for Windows, they're now starting to do for Macs, too," said Ivan Macalintal, a security researcher at antivirus provider Trend Micro. Macalintal has documented some of the same exploits and trojans Blasco found.

Another researcher who has confirmed the findings is Alexis Dorais-Joncas, Security Intelligence Team Leader at ESET. In his own blog post, he documented the encryption one of the trojans uses to conceal communications between infected Macs and a command and control server. He also described a series of queries sent to a test machine he infected that he believes were manually typed by a live human at the other end of the server. They invoked Unix commands to rummage through Mac folders that typically store browser cookies, passwords, and software downloads.

Commands monitored by ESET researcher Alexis Dorais-Joncas. They appear to have been manually typed in real time by someone at the other end of a command and control server.

He noted that the backdoor he observed was unable to survive a reboot on Macs that weren't running with administrator privileges. That's because the /Library/Audio/Plug-Ins/AudioServer folder used to stash one of the underlying malware files didn't allow unprivileged users to save data there. A more recent trojan analyzed by AlienVault's Blasco has overcome that shortcoming, by saving the file in the less-restricted /Users/{User}/Library/LaunchAgents/ folder, ensuring it gets launched each time the user's account starts.

The backdoors are installed by exploiting critical holes in two pieces of software that are widely used by Mac users. One of the vulnerabilities, a buffer overflow flaw in Microsoft Office for the Mac, was patched in 2009, while the other, an unspecified bug in Java, was fixed in October. The Java exploit is advanced enough that it reads the user agent of the intended victim's browser, and based on the results unloads a payload that's unique to machines running either Windows or OS X.

Reports of malware that target Macs have risen steadily over the past 36 months. Most of the reported infections rely on the gullibility of users, tricking them into believing their systems are already compromised and can be disinfected by downloading and installing a piece of rogue antivirus software. Others have exploited software weaknesses to install data-stealing trojans, often requiring little interaction on the part of users. While these reports are more rare, they date back to at least July 2010.

In his blog post, Trend Micro's Macalintal said the Word exploit he observed "dropped a Gh0stRat payload," a reference to a huge malware-based spy network uncovered three years ago that infiltrated government and private offices in 103 countries. The Word exploit works by embedding Mac-executable files known as "Mach-Os" into the booby-trapped document file, Macalintal added.

Seth Hardy, a Senior Security Analyst who has been monitoring espionage attacks on pro-Tibetan groups for an organization called Citizen Lab, said it's too early to know if the recent campaign is related to Gh0stRat. Hardy—whose Citizen Lab was a principal organization for the research and publication of the Tracking Ghostnet and Shadows in the Cloudcyber espionage reports and is based at the Munk School of Global Affairs—went on to say that Macs are likely to play are growing role in future attacks.

"While APT-for-Mac (iAPT?) isn't exactly new, it does seem like the attackers are catching on that many of these organizations use Macs more than the general public," he wrote in an e-mail. "It's also interesting that the attackers are developing multi-platform attacks: we've seen the Mac malware bundled with similar Windows malware, and the delivery system will identify the user's operating system and run the appropriate program."

121 Reader Comments

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Whoever it is that took control of the computer really doesn't know their way around a Unix shell.

They invest all the time and effort to hack into machines, then lose the chance to grab useful data because the guy at the other end hasn't quite worked out how files and directories work. Come on, you're not going to take down the "splittists" with these sort of amateur-hour antics.

MachO is short for Mach Object, and is the native executable format on OS X - comparable to ELF or a.out.

Is both Office and Java required for this exploit to work? Java is no longer included with the OS, and for OS versions where it is included, it is updated by the OS Software Update. Office is updated by its internal updater, which may or may not be enabled, but if Java is required as well, that should limit exposure.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Basically anyone who pirated Office. I think that is a big enough segment to be worth targeting.

The real kicker is that one of the payloads doesn't survive a reboot. But they might have enough of a window to get in and download some explotable data... just as long as they can figure out how filesystems work (evidently they need some lessons from the above screenshot).

Whoever it is that took control of the computer really doesn't know their way around a Unix shell.

They invest all the time and effort to hack into machines, then lose the chance to grab useful data because the guy at the other end hasn't quite worked out how files and directories work. Come on, you're not going to take down the "splittists" with these sort of amateur-hour antics.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Basically anyone who pirated Office. I think that is a big enough segment to be worth targeting.

The real kicker is that one of the payloads doesn't survive a reboot. But they might have enough of a window to get in and download some explotable data... just as long as they can figure out how filesystems work (evidently they need some lessons from the above screenshot).

It can be a huge window, what constitutes a reboot exactly for OSX? When I hit restart, or when it sleeps?

I only actually do restarts when xcode and various idevices completely stop working together (once a week or so) or when there are system updates. I believe at some point, the fact that you don't need to reboot or restart OSX all the time was a selling point.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

This is a politically motivated malware, unlike a commercially motivated hack it's less about how many machines you can infect and more about whose machines you can infect.

More and more, these kinds of state-sponsored, narrow-band attacks are becoming a problem. The Chinese government, in particular, encourages this kind of hacking by offering bounties for espionage to privateer hackers. This allows officials to plausibly deny culpability for cyber-espionage while still reaping the intelligence. The extent to which such privateers are directly supported (with code or intelligence) is unknown but one can reasonably infer that such support exists given the quality of exploits deployed and their targets.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Basically anyone who pirated Office. I think that is a big enough segment to be worth targeting.

The real kicker is that one of the payloads doesn't survive a reboot. But they might have enough of a window to get in and download some explotable data... just as long as they can figure out how filesystems work (evidently they need some lessons from the above screenshot).

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Like all of Google? sounds like a sweet reason to create one. Everyone runs Office to be able to successfully work with other businesses

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

This is a politically motivated malware, unlike a commercially motivated hack it's less about how many machines you can infect and more about whose machines you can infect.

More and more, these kinds of state-sponsored, narrow-band attacks are becoming a problem. The Chinese government, in particular, encourages this kind of hacking by offering bounties for espionage to privateer hackers. This allows officials to plausibly deny culpability for cyber-espionage while still reaping the intelligence. The extent to which such privateers are directly supported (with code or intelligence) is unknown but one can reasonably infer that such support exists given the quality of exploits deployed and their targets.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Like all of Google? sounds like a sweet reason to create one. Everyone runs Office to be able to successfully work with other businesses

Exactly…Google dumped all the WinPC's a few years ago and gave the employees an option of using a Mac or some other unix-Linux flavor I believe. This was after the China debacle sometime.

This totally reminds me of Back Orifice! It had a trojan creator tool that would wrap any exe with the application. I had hundreds of machines at one time in the late 90's with this installed... You could mirror their screen copy files, look for information, mirror key strokes...

Ohh the good old days... What an awesome program then they tried to make it legit...

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Like all of Google? sounds like a sweet reason to create one. Everyone runs Office to be able to successfully work with other businesses

I'd think Google would have patched their Office/OS since 2009. Afterall, compared to going through all the effort of switching the company from Windows to OS X and adopting Mac versions of Office, applying security updates shouldn't be too much effort.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Like all of Google? sounds like a sweet reason to create one. Everyone runs Office to be able to successfully work with other businesses

I'd think Google would have patched their Office/OS since 2009. Afterall, compared to going through all the effort of switching the company from Windows to OS X and adopting Mac versions of Office, applying security updates shouldn't be too much effort.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Like all of Google? sounds like a sweet reason to create one. Everyone runs Office to be able to successfully work with other businesses

I'd think Google would have patched their Office/OS since 2009. Afterall, compared to going through all the effort of switching the company from Windows to OS X and adopting Mac versions of Office, applying security updates shouldn't be too much effort.

One thing I didn´t get from the article is *how* that "booby-trapped" word file works.

- Does it need be opened in (unpatched version of) Word to work?]- or just by having it installed the payload can be unloaded by opening the file with QuickLook in Finder or in Mail, Pages or whatever?

This is precisely why Apple is moving to a curated application system for Macs in Mountain Lion, albeit an optional one, and a sandboxed model for App Store applications. These vectors of attack, namely Java and MS Office, are completely beyond the control of Apple, and feature frameworks that can run arbitrary code. If these were App Store applications, they would not be allowed to run arbitrary code and, once sandboxing is in place, they would not be able to arbitrarily access system resources.

Someone running a fully-updated Mac is very unlikely to encounter something like this anyway, but with Mountain Lion in App Store Only mode and sandboxing implemented in the App Store, it would be essentially impossible for this type of attack to occur. That's precisely why Apple is moving to this form of security.

This is precisely why Apple is moving to a curated application system for Macs in Mountain Lion, albeit an optional one, and a sandboxed model for App Store applications. These vectors of attack, namely Java and MS Office, are completely beyond the control of Apple, and feature frameworks that can run arbitrary code. If these were App Store applications, they would not be allowed to run arbitrary code and, once sandboxing is in place, they would not be able to arbitrarily access system resources.

Someone running a fully-updated Mac is very unlikely to encounter something like this anyway, but with Mountain Lion in App Store Only mode and sandboxing implemented in the App Store, it would be essentially impossible for this type of attack to occur. That's precisely why Apple is moving to this form of security.

Drinking too much kool-aid?

The attacks will still happen there will be ways to break out of the sandbox like there always is...

This is precisely why Apple is moving to a curated application system for Macs in Mountain Lion, albeit an optional one, and a sandboxed model for App Store applications. These vectors of attack, namely Java and MS Office, are completely beyond the control of Apple, and feature frameworks that can run arbitrary code. If these were App Store applications, they would not be allowed to run arbitrary code and, once sandboxing is in place, they would not be able to arbitrarily access system resources.

Someone running a fully-updated Mac is very unlikely to encounter something like this anyway, but with Mountain Lion in App Store Only mode and sandboxing implemented in the App Store, it would be essentially impossible for this type of attack to occur. That's precisely why Apple is moving to this form of security.

Drinking too much kool-aid?

The attacks will still happen there will be ways to break out of the sandbox like there always is...

So my argument is invalid because I agree with what Apple is doing?

Also, between the sandboxing and the App Store Only setting, there's essentially no way to break out of it. That's the entire point of this method of security. Agree with it or not, it will be effective, where the find a hole and patch it method just isn't working.

Since Apple currently claims "OS X doesn’t get PC viruses." they can now qualify it with "It gets OS X viruses instead!"

Thanks to what software made by which company?

I need more coffee

Do you think that Office exploit is the only way to infect Mac??

No one with a brain thinks that. It's just silly to use an exploit in an MS program to crow about the vulnerability of OSX, especially when compared to Windows.

If you use OpenBSD logic here Java is not shipped with the OS anymore, so this is not an OS insecurity. It's 3rd party software insecurities. And the top of the list? Microsoft! Second up? Oracle! I would hazzard a guess at the third, but I think too many would get butt hurt.

Also the security implimented as a decendant of UNIX, is already enough to prevent reloading between reboots.

Since Apple currently claims "OS X doesn’t get PC viruses." they can now qualify it with "It gets OS X viruses instead!"

A virus is software that can install itself without user intervention, that can spread to other computers without user intervention.

OS X does not have viruses. Period.

A Trojan is NOT a virus.

A Trojan is software that a user has to purposely/gullibly install in one's own computer before it can work. A trojan is like giving a person a gun and telling them to shoot themselves with it. Only the gullible would do that.

EVERY computer is susceptible to trojans - except for OS X Mountain Lion.

This article is about possible trojans that users can gullibly install on their Macs. It is not about viruses at all.

With OS X Mountain Lion, even Trojans will stop working at the default OS X user settings. This is because Trojans will be required to have a code signature that is registered with Apple that indicates the author of the Trojan - before the system would allow them to run. What malware author wants to be known to Apple? The Trojan would also be extremely limited in what it can do and what files it can use even if it did run.

At the highest security settings, a trojan would be limited to its own explicit data folder and can't muck around in the system. Further, the software would have to be sold at the Mac App Store. What trojan author wants that?

One currently can protect oneself from Trojans by using anti-spy programs such as Little Snitch and the even more sophisticated, Hands Off! These will prevent programs from calling home - unless you explicitly allow them to. Hands Off will even prevent Trojans from writing to files - unless you explicitly allow them to.

This is precisely why Apple is moving to a curated application system for Macs in Mountain Lion, albeit an optional one, and a sandboxed model for App Store applications. These vectors of attack, namely Java and MS Office, are completely beyond the control of Apple, and feature frameworks that can run arbitrary code. If these were App Store applications, they would not be allowed to run arbitrary code and, once sandboxing is in place, they would not be able to arbitrarily access system resources.

Someone running a fully-updated Mac is very unlikely to encounter something like this anyway, but with Mountain Lion in App Store Only mode and sandboxing implemented in the App Store, it would be essentially impossible for this type of attack to occur. That's precisely why Apple is moving to this form of security.

Drinking too much kool-aid?

The attacks will still happen there will be ways to break out of the sandbox like there always is...

So my argument is invalid because I agree with what Apple is doing?

Also, between the sandboxing and the App Store Only setting, there's essentially no way to break out of it. That's the entire point of this method of security. Agree with it or not, it will be effective, where the find a hole and patch it method just isn't working.

Yes I agree it helps. BUT there is always a way around security. If you think sandboxing is 100% and there is no way out of it then you can just look over at the chrome hacks, sandbox escape, windows ASLR/DEP bypass, code execution...

Just saying you can not just say well Apple is going to sandbox the entire OS so its all good...

On a side note, as more and more companies and governmental agencies start using Macs as their main machines, this should become increasingly common.

I was on a plane the other day and walking back to the bathroom I counted 14 computers--every single one of them Macs.

I spend my days consulting in various boardrooms and there is a very *major* shift towards Mac for any org that allows it's employees the choice (and many executives "go rogue" even in those orgs because they can). Places like Google and other businesses that don't have a deeply entrenched/draconian IT dept are seeing the shift much more than companies that have strict policies (obviously).

As the OP said, those are high profile targets and Mac users have relatively little history of protecting themselves against viruses/malware, so I see a major influx coming.

(PS: I run windows, lest anyone accuse me of being a propaganda fanboi).

"Reports of malware that target Macs have risen steadily over the past 36 months. "

Slow and steady wins the race, I guess.

I think we shall finally see how the differing design philosophies handle repeated attempts at security violation. I have confidence in the UNIX permissions model, and so far it is showing its utility.

I'm surprised the malware authors feel that the installed base of (Mac users) + (Who have installed Office) + (Who haven't patched it since 2009) is large enough to sustain and propagate such an infection.

Basically anyone who pirated Office. I think that is a big enough segment to be worth targeting.